[SECURITY!] obs-service-tar_scm leaks credentials.

[seife]

auth_url modifies self.url and adds credentials.

Later, self.url is used to read / write _servicedata, e.g. when changesgenerate is enabled.

Right now, luckily, this fails with

service obs_scm failed:
File _servicedata is missing tar_scm with URL 'https://github.my.instance/my-project/my-package'

The generated _servicedata has url=https://user:[email protected]/my-project/my-package

But I would not bet that there are other methods of generating a _servicedata file which do not fail, and so the possibility of the credentials leaking is very high.

trivial fix:

Index: b/TarSCM/scm/git.py
===================================================================
--- a/TarSCM/scm/git.py
+++ b/TarSCM/scm/git.py
@@ -102,6 +102,7 @@ class Git(Scm):
 
     def fetch_upstream_scm(self):
         """SCM specific version of fetch_uptream for git."""
+        url = self.url
         self.auth_url()
         # clone if no .git dir exists
         command = self._get_scm_cmd() + ['clone', self.url, self.clone_dir]
@@ -131,6 +132,7 @@ class Git(Scm):
                 self._get_scm_cmd() + ['checkout', self.revision],
                 cwd=self.clone_dir
             )
+        self.url = url
 
     def fetch_specific_revision(self):
         if self.revision and not self._ref_exists(self.revision):

however, it needs to be investigated if "package-meta" feature will also leak the credentials in .git/config.